Should i relase Drivers for create, modify or delete any IDT, GDT or LDT descriptors? (these drivers with source -code may be dangerous in bad hands)

Yes, let programmes know the methods

76%

[ 13 ]

No, for security reasons

11%

[ 2 ]

I don't know

11%

[ 2 ]

Total Votes : 17

Author

Thread

Pirata Derek

Joined: 31 Oct 2008
Posts: 259
Location: Italy

Pirata Derek

Asmfan:
I use the Syser Kernel Debugger to find bugs in GKP.
The IRET use this stack information to execute a privilege level change.
Check the GKP library source (page 1)5) user-mode SS (23h is the most used by programs)
4) user-mode ESP (saved before by the GKP library)
3) user-mode EFLAGS (saved before by the GKP library)
2) user-mode CS (1Bh is the most used by programs)
1) user-mode EIP (provided by poping after the invoke to library)

This is the format for IRET stack when the IOPL is less privileged after IRET execution.
For the same privilege, IRET need only the number 3,2,1
Sometime Exceptions or NMI insert into IRET stack also the ERROR CODE (after the number 1)
It is a rule because the instruction fetching and execution is done by CPU.
Only if you have different or not standard cpu is not the same.
Google for IRET instruction

Last edited by Pirata Derek on 26 Jun 2009, 13:01; edited 5 times in total

26 Jun 2009, 11:33

Pirata Derek

Joined: 31 Oct 2008
Posts: 259
Location: Italy

Pirata Derek

Quote:

#3 - how do you ensure allocated memory is available across all processes? Manually hack up the pagetables?

Yes it's one of my next jobs:
1) modify the gates, tasks and traps on IDT ( <---- current)
2) modify the TSS fields and TR
3) modify the GDT descriptors (after also LDT)
4) HARD: modify pool tags and physical pages entires
5) HARD: modify parts of RAM and NT kernel
6) VERY VERY HARD: a way to discard NT kernel from RAM and load a new personal kernel (new small OS like menuet)

If i'm not on error, LDT should have the access settings to processes memory

26 Jun 2009, 11:49

Pirata Derek

Joined: 31 Oct 2008
Posts: 259
Location: Italy

Pirata Derek

Don't know why your system reboot on driver unload
My system hasn't this problem (loading and unloading illimited times)
Maybe i should disable interrupts when hooking and unhooking sysenter!

Can you report me the error status code and the registers values displayed in the blue screen?

To show the blue screen and inhibit system reboots do these steps:
1) Right click on Computer resources or My computer icon (i have in italian: Risorse del computer)
2) Goto property
3) Click the label "Advanced" (on top)
4) Push the vertical button number 3 (i don't know how is called "Avvio e ripristino" button in english)
5) uncheck the automatic reboot on system error
6) apply the new settings
7) reboot the system to save new settings

From now, if your system crashes it will not reboot but displays the Blue screen with the informations (CTRL+ALT+DEL to reboot).
i'm going to relase to you another source (tested on my PC before) without this bug.
(I need the crash errors detail before)

26 Jun 2009, 12:34

windwakr

Joined: 30 Jun 2004
Posts: 827
Location: Michigan, USA

windwakr

Uh, ya....When I try to enable that I get an error about alerter service is disabled, I try to enable that and get an error that its dependencies are disabled....so screw this, don't need all those dumb services running...But looking in event viewer I see this, could it help you? If not, then forget it. I'm not turning all that crap I turned off back on.

6) VERY VERY HARD: a way to discard NT kernel from RAM and load a new personal kernel (new small OS like menuet)

I wouldn't even attempt this - there's way too much hardware initialization that you'd have to "undo".

Quote:

If i'm not on error, LDT should have the access settings to processes memory

LDT means just about nothing in this regard, you have to do some heavy pagetable manipulation (remember that CR3 is a per-process field; can't remember if it's part of the thread context, but it should only change per-process.)

_ "A task is a unit of work that a processor can dispatch, execute, and suspend"
_ "The IA-32 architecture provides a mechanism for saving the state of a task, for dispatching tasks for execution, and for switching from one task to another."
_ "A task is made up of two parts: a task execution space and a task-state segment (TSS)"
_ "Prior to dispatching a task, all of these items are contained in the task’s TSS, except the state of the task register. Also, the complete contents of the LDTR register are not contained in the TSS,
only the segment selector for the LDT."
_ "Software or the processor can dispatch a task for execution in one of the following ways:
• A explicit call to a task with the CALL instruction.
• A explicit jump to a task with the JMP instruction.
• An implicit call (by the processor) to an interrupt-handler task.
• An implicit call to an exception-handler task.
• A return (initiated with an IRET instruction) when the NT flag in the EFLAGS register is
set."

_ "The processor state information needed to restore a task is saved in a system segment called the task-state segment (TSS)."
_ "CR3 control register field: Contains the base physical address of the page directory to be used by the task. Control register CR3 is also known as the page-directory base register (PDBR)."
_ "The page-directory baseregister (CR3) also is reloaded on a task switch, allowing each task to have its own set of page tables."

Has your processor/s the multi-tasking freature?
If no then you are right, else to let your last post stand on you should:

Last edited by Pirata Derek on 27 Jun 2009, 13:10; edited 1 time in total

27 Jun 2009, 12:30

Pirata Derek

Joined: 31 Oct 2008
Posts: 259
Location: Italy

Pirata Derek

Yesteday i assembled the modified version of GKP to you.
there's 2 modifications:
1) All sections are NOT PAGEABLES, so the system don't need to access in paged area with its IRQL.
2) Inserted the CLI and after STI to let driver change the MSR_SYSENTER_EIP without any interrupt.

Pirata Derek: trust me, Windows doesn't use TSS for context switching, like most OSes it does manual register loading since it's faster. And iirc in x64 mode you can't use TSS-based task switching anyway.

But even thoughTSS isn't used for context switches, you must set one up anyway - iirc this is required to handle ring switches (forgot the specifics, last time I touched my kernel.asm was back in 2001).

27 Jun 2009, 14:46

windwakr

Joined: 30 Jun 2004
Posts: 827
Location: Michigan, USA

windwakr

Results are pretty much the same as before, after loading the driver the program only successfully finishes(reaches the second messagebox) about 50% of the time. When I try stopping the driver its still a 50/50 chance to reboot.

27 Jun 2009, 16:13

Pirata Derek

Joined: 31 Oct 2008
Posts: 259
Location: Italy

Pirata Derek

f0dder:
You are telling me different things that others people don't.
who should i believe?

Please, send me or post the detailed method you think how windows does TASK SWITCH

Last edited by Pirata Derek on 28 Jun 2009, 11:18; edited 1 time in total

28 Jun 2009, 10:48

Pirata Derek

Joined: 31 Oct 2008
Posts: 259
Location: Italy

Pirata Derek

I can't understand why GKP behaves so bad.

2 Month ago my system had the same problem when installing some audio drivers.
After install finished the blue screen of death displayed the error "Driver not less or equal" every time!
Then i decided to reinstall windows with the CD and during reinstallation the system told me:
"There is a driver trying to damage the system!"
AH! F***ing driver!
I formatted all the hard-disk and after there were no problems.

1 mont later, during web search, my firewall OS (Zone Allarm) displayed the warning: "SVCHOST is loading the driver: ..... (i don't remember the path name)"
I analyzed this driver with IDA and i've seen this is a virus driver (because in some strings there were the "HACK" word).
I deleted it

Maybe some drivers (rootkits) that interfere with normal system work...

28 Jun 2009, 11:18

f0dder

Joined: 19 Feb 2004
Posts: 3170
Location: Denmark

f0dder

The Intel document shows you how to do TSS-based context switching, but it doesn't say you have to use this method - and as already mentioned, most OSes don't use TSS for context switching because it's slow (check some osdev resources), and doesn't handle full context anyway (fpu, xmm).

I don't have a disassembly of KiSwapContext lying around right now, and can't remember if the symbol is publicly exported from the kernel. I'll try loading up a 32bit xp virtual machine when I get home from work and see if I can produce a relevant disassembly listing for you

PS: I'm not saying that TSS isn't used at all in the system, just that it's not used for context switches.

28 Jun 2009, 16:14

asmfan

Joined: 11 Aug 2006
Posts: 392
Location: Russian

asmfan

Pirata Derek
I asked about some code of your first posts:

Code:

FastUserReturn: pushd 23h
pushd ecx
push ebx
pushd 1bh
push eax
iretd

cuz just haven't noticed you set them in advance in test program.

Then other - why decided to use iretd? Isn't sysexit for "symmetry" the best?
And what happen if the source selector is differen from code? suppose DEP disabled. Then result of such processing in interception?

I used sysexit but when debugging (Kernel-mode) Syser debugger display me that after sysexit the eflags remains unchanged!!!
And sometime the system crashes when an exception occurs in test program

Sysexit creates me some problems.
Iretd does the same (return to user-mode) better, also you can decide the return EIP, the CS, the eflags, the ESP and the SS, but with sysexit only ESP and EIP (ecx, edx).

Selector different from code... Program code or system code?
post me some example for answer to you.
the CPU always make a RPL segments (destination) check on privilege change.
for example if destination CS RPL is 2 but destination IOPL (EFLAGS) is 3 there is an GP fault.
If Destination CS RLP = 3 but destination IOPL = 0 there is nothing.

29 Jun 2009, 12:36

Japheth

Joined: 26 Oct 2004
Posts: 151

Japheth

Pirata Derek wrote:

f0dder:
You are telling me different things that others people don't.
who should i believe?

I'd say: believe f0dder!

As a proof - not 100%, but 99% - that there's no TSS based task-switching in Windows see this little prog:

Description:
Stores the segment selector from the task register (TR) in the destination operand. The destination operand can be a general-purpose register or a memory location. The segment selector stored with this instruction points to the task state segment (TSS) for the currently running task.

The examples display only the TR of their current process!

P.S. Why don't you (all) install an Kernel-debugger and then analyze the IDT, GDT and LDT?
You will find some task gates with differents TR selectors...
use my GKP and execute a call into these gates (the CPU must execute a task switch)

I'm going to create a task gate that point to my driver and it automatically shows me if the TR is different before and after calling the task gate (driver linked)

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot vote in polls in this forumYou cannot attach files in this forumYou can download files in this forum